Gaza Cybergang Uses QuasarRAT to Target Governments

Researchers at Palo Alto Networks have spotted new attacks they believe have been launched by the cyber espionage group known as Gaza Cybergang, and discovered that one of the servers used by the threat actor is vulnerable to remote attacks.

Gaza Cybergang, also known as Gaza Hackers Team and Molerats, has been active since at least 2012. The actor, which some believe is run by the Palestinian militant group Hamas, has mainly targeted organizations in Middle Eastern countries, but victims have also been observed in Europe and the United States.

In the recent attacks analyzed by the security firm, the threat group used two pieces of malware: a downloader called Downeks and a remote access tool (RAT) named QuasarRAT.

Researchers noticed similarities in the code, decoys, targets and the command and control (C&C) infrastructure of the recent campaign and DustySky. They pointed out that the attacks were launched and the malware samples were built on days that coincide with the workweek in the Middle East.

Quasar is a free and open source RAT that has evolved from xRAT. The sample spotted in the Gaza Cybergang attacks appears to be a customized version developed using source code available on GitHub.

Once it infects a system, the malware can steal files, collect system information, download and execute files, open the task manager, kill or start processes, open a remote desktop connection, remotely control the mouse and keyboard, capture passwords, log keystrokes, visit websites, and display a message box.

An analysis of the C&C server used by QuasarRAT revealed the existence of remote code execution vulnerabilities allowing a second attacker to take control of the machine. While they haven’t made tests on the live server, lab simulations conducted by Palo Alto Networks showed that an attacker can change the QuasarRAT code on the server and report fake victim data.

Since the server does not check the validity of the data it receives, an attacker can trick the Gaza Cybergang into connecting to a specially crafted “victim” system, which can be used to deliver arbitrary files.

“Quasar is a .NET Framework assembly, loading multiple DLLs upon launch, for example ‘dnsapi.dll’. Quasar server is vulnerable to a simple DLL hijacking attack, by using this technique to replace server DLLs,” Palo Alto Networks researchers explained. “When the attacker restarts the Quasar application, our uploaded ‘dnsapi.dll’ will instead be loaded. Through this vector, we could drop our own Quasar client on the attacker’s server and execute it. Our Quasar RAT will connect to our own (secured, of course) Quasar server, allowing us to control that attacker’s server with his own RAT.”

As for Downeks, experts noticed new versions of the threat written in .NET – unlike the earlier samples which had been written in native code. The new versions, used against Hebrew-speaking targets, provide basic backdoor capabilities.

While Downeks’ primary role is to download other malware, it can also capture screenshots and check the infected system for the presence of security products.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.